xref: /optee_os/core/lib/libtomcrypt/src/hashes/rmd160.c (revision 5b25c76ac40f830867e3d60800120ffd7874e8dc) 
1 // SPDX-License-Identifier: BSD-2-Clause
2 /* LibTomCrypt, modular cryptographic library -- Tom St Denis
3  *
4  * LibTomCrypt is a library that provides various cryptographic
5  * algorithms in a highly modular and flexible manner.
6  *
7  * The library is free for all purposes without any express
8  * guarantee it works.
9  */
10 #include "tomcrypt_private.h"
11 
12 /**
13    @file rmd160.c
14    RMD160 hash function
15 */
16 
17 /* Implementation of LTC_RIPEMD-160 based on the source by Antoon Bosselaers, ESAT-COSIC
18  *
19  * This source has been radically overhauled to be portable and work within
20  * the LibTomCrypt API by Tom St Denis
21  */
22 
23 #ifdef LTC_RIPEMD160
24 
25 const struct ltc_hash_descriptor rmd160_desc =
26 {
27     "rmd160",
28     9,
29     20,
30     64,
31 
32     /* OID */
33    { 1, 3, 36, 3, 2, 1,  },
34    6,
35 
36     &rmd160_init,
37     &rmd160_process,
38     &rmd160_done,
39     &rmd160_test,
40     NULL
41 };
42 
43 /* the five basic functions F(), G() and H() */
44 #define F(x, y, z)        ((x) ^ (y) ^ (z))
45 #define G(x, y, z)        (((x) & (y)) | (~(x) & (z)))
46 #define H(x, y, z)        (((x) | ~(y)) ^ (z))
47 #define I(x, y, z)        (((x) & (z)) | ((y) & ~(z)))
48 #define J(x, y, z)        ((x) ^ ((y) | ~(z)))
49 
50 /* the ten basic operations FF() through III() */
51 #define FF(a, b, c, d, e, x, s)        \
52       (a) += F((b), (c), (d)) + (x);\
53       (a) = ROLc((a), (s)) + (e);\
54       (c) = ROLc((c), 10);
55 
56 #define GG(a, b, c, d, e, x, s)        \
57       (a) += G((b), (c), (d)) + (x) + 0x5a827999UL;\
58       (a) = ROLc((a), (s)) + (e);\
59       (c) = ROLc((c), 10);
60 
61 #define HH(a, b, c, d, e, x, s)        \
62       (a) += H((b), (c), (d)) + (x) + 0x6ed9eba1UL;\
63       (a) = ROLc((a), (s)) + (e);\
64       (c) = ROLc((c), 10);
65 
66 #define II(a, b, c, d, e, x, s)        \
67       (a) += I((b), (c), (d)) + (x) + 0x8f1bbcdcUL;\
68       (a) = ROLc((a), (s)) + (e);\
69       (c) = ROLc((c), 10);
70 
71 #define JJ(a, b, c, d, e, x, s)        \
72       (a) += J((b), (c), (d)) + (x) + 0xa953fd4eUL;\
73       (a) = ROLc((a), (s)) + (e);\
74       (c) = ROLc((c), 10);
75 
76 #define FFF(a, b, c, d, e, x, s)        \
77       (a) += F((b), (c), (d)) + (x);\
78       (a) = ROLc((a), (s)) + (e);\
79       (c) = ROLc((c), 10);
80 
81 #define GGG(a, b, c, d, e, x, s)        \
82       (a) += G((b), (c), (d)) + (x) + 0x7a6d76e9UL;\
83       (a) = ROLc((a), (s)) + (e);\
84       (c) = ROLc((c), 10);
85 
86 #define HHH(a, b, c, d, e, x, s)        \
87       (a) += H((b), (c), (d)) + (x) + 0x6d703ef3UL;\
88       (a) = ROLc((a), (s)) + (e);\
89       (c) = ROLc((c), 10);
90 
91 #define III(a, b, c, d, e, x, s)        \
92       (a) += I((b), (c), (d)) + (x) + 0x5c4dd124UL;\
93       (a) = ROLc((a), (s)) + (e);\
94       (c) = ROLc((c), 10);
95 
96 #define JJJ(a, b, c, d, e, x, s)        \
97       (a) += J((b), (c), (d)) + (x) + 0x50a28be6UL;\
98       (a) = ROLc((a), (s)) + (e);\
99       (c) = ROLc((c), 10);
100 
101 
102 #ifdef LTC_CLEAN_STACK
103 static int _rmd160_compress(hash_state *md, const unsigned char *buf)
104 #else
105 static int  rmd160_compress(hash_state *md, const unsigned char *buf)
106 #endif
107 {
108    ulong32 aa,bb,cc,dd,ee,aaa,bbb,ccc,ddd,eee,X[16];
109    int i;
110 
111    /* load words X */
112    for (i = 0; i < 16; i++){
113       LOAD32L(X[i], buf + (4 * i));
114    }
115 
116    /* load state */
117    aa = aaa = md->rmd160.state[0];
118    bb = bbb = md->rmd160.state[1];
119    cc = ccc = md->rmd160.state[2];
120    dd = ddd = md->rmd160.state[3];
121    ee = eee = md->rmd160.state[4];
122 
123    /* round 1 */
124    FF(aa, bb, cc, dd, ee, X[ 0], 11);
125    FF(ee, aa, bb, cc, dd, X[ 1], 14);
126    FF(dd, ee, aa, bb, cc, X[ 2], 15);
127    FF(cc, dd, ee, aa, bb, X[ 3], 12);
128    FF(bb, cc, dd, ee, aa, X[ 4],  5);
129    FF(aa, bb, cc, dd, ee, X[ 5],  8);
130    FF(ee, aa, bb, cc, dd, X[ 6],  7);
131    FF(dd, ee, aa, bb, cc, X[ 7],  9);
132    FF(cc, dd, ee, aa, bb, X[ 8], 11);
133    FF(bb, cc, dd, ee, aa, X[ 9], 13);
134    FF(aa, bb, cc, dd, ee, X[10], 14);
135    FF(ee, aa, bb, cc, dd, X[11], 15);
136    FF(dd, ee, aa, bb, cc, X[12],  6);
137    FF(cc, dd, ee, aa, bb, X[13],  7);
138    FF(bb, cc, dd, ee, aa, X[14],  9);
139    FF(aa, bb, cc, dd, ee, X[15],  8);
140 
141    /* round 2 */
142    GG(ee, aa, bb, cc, dd, X[ 7],  7);
143    GG(dd, ee, aa, bb, cc, X[ 4],  6);
144    GG(cc, dd, ee, aa, bb, X[13],  8);
145    GG(bb, cc, dd, ee, aa, X[ 1], 13);
146    GG(aa, bb, cc, dd, ee, X[10], 11);
147    GG(ee, aa, bb, cc, dd, X[ 6],  9);
148    GG(dd, ee, aa, bb, cc, X[15],  7);
149    GG(cc, dd, ee, aa, bb, X[ 3], 15);
150    GG(bb, cc, dd, ee, aa, X[12],  7);
151    GG(aa, bb, cc, dd, ee, X[ 0], 12);
152    GG(ee, aa, bb, cc, dd, X[ 9], 15);
153    GG(dd, ee, aa, bb, cc, X[ 5],  9);
154    GG(cc, dd, ee, aa, bb, X[ 2], 11);
155    GG(bb, cc, dd, ee, aa, X[14],  7);
156    GG(aa, bb, cc, dd, ee, X[11], 13);
157    GG(ee, aa, bb, cc, dd, X[ 8], 12);
158 
159    /* round 3 */
160    HH(dd, ee, aa, bb, cc, X[ 3], 11);
161    HH(cc, dd, ee, aa, bb, X[10], 13);
162    HH(bb, cc, dd, ee, aa, X[14],  6);
163    HH(aa, bb, cc, dd, ee, X[ 4],  7);
164    HH(ee, aa, bb, cc, dd, X[ 9], 14);
165    HH(dd, ee, aa, bb, cc, X[15],  9);
166    HH(cc, dd, ee, aa, bb, X[ 8], 13);
167    HH(bb, cc, dd, ee, aa, X[ 1], 15);
168    HH(aa, bb, cc, dd, ee, X[ 2], 14);
169    HH(ee, aa, bb, cc, dd, X[ 7],  8);
170    HH(dd, ee, aa, bb, cc, X[ 0], 13);
171    HH(cc, dd, ee, aa, bb, X[ 6],  6);
172    HH(bb, cc, dd, ee, aa, X[13],  5);
173    HH(aa, bb, cc, dd, ee, X[11], 12);
174    HH(ee, aa, bb, cc, dd, X[ 5],  7);
175    HH(dd, ee, aa, bb, cc, X[12],  5);
176 
177    /* round 4 */
178    II(cc, dd, ee, aa, bb, X[ 1], 11);
179    II(bb, cc, dd, ee, aa, X[ 9], 12);
180    II(aa, bb, cc, dd, ee, X[11], 14);
181    II(ee, aa, bb, cc, dd, X[10], 15);
182    II(dd, ee, aa, bb, cc, X[ 0], 14);
183    II(cc, dd, ee, aa, bb, X[ 8], 15);
184    II(bb, cc, dd, ee, aa, X[12],  9);
185    II(aa, bb, cc, dd, ee, X[ 4],  8);
186    II(ee, aa, bb, cc, dd, X[13],  9);
187    II(dd, ee, aa, bb, cc, X[ 3], 14);
188    II(cc, dd, ee, aa, bb, X[ 7],  5);
189    II(bb, cc, dd, ee, aa, X[15],  6);
190    II(aa, bb, cc, dd, ee, X[14],  8);
191    II(ee, aa, bb, cc, dd, X[ 5],  6);
192    II(dd, ee, aa, bb, cc, X[ 6],  5);
193    II(cc, dd, ee, aa, bb, X[ 2], 12);
194 
195    /* round 5 */
196    JJ(bb, cc, dd, ee, aa, X[ 4],  9);
197    JJ(aa, bb, cc, dd, ee, X[ 0], 15);
198    JJ(ee, aa, bb, cc, dd, X[ 5],  5);
199    JJ(dd, ee, aa, bb, cc, X[ 9], 11);
200    JJ(cc, dd, ee, aa, bb, X[ 7],  6);
201    JJ(bb, cc, dd, ee, aa, X[12],  8);
202    JJ(aa, bb, cc, dd, ee, X[ 2], 13);
203    JJ(ee, aa, bb, cc, dd, X[10], 12);
204    JJ(dd, ee, aa, bb, cc, X[14],  5);
205    JJ(cc, dd, ee, aa, bb, X[ 1], 12);
206    JJ(bb, cc, dd, ee, aa, X[ 3], 13);
207    JJ(aa, bb, cc, dd, ee, X[ 8], 14);
208    JJ(ee, aa, bb, cc, dd, X[11], 11);
209    JJ(dd, ee, aa, bb, cc, X[ 6],  8);
210    JJ(cc, dd, ee, aa, bb, X[15],  5);
211    JJ(bb, cc, dd, ee, aa, X[13],  6);
212 
213    /* parallel round 1 */
214    JJJ(aaa, bbb, ccc, ddd, eee, X[ 5],  8);
215    JJJ(eee, aaa, bbb, ccc, ddd, X[14],  9);
216    JJJ(ddd, eee, aaa, bbb, ccc, X[ 7],  9);
217    JJJ(ccc, ddd, eee, aaa, bbb, X[ 0], 11);
218    JJJ(bbb, ccc, ddd, eee, aaa, X[ 9], 13);
219    JJJ(aaa, bbb, ccc, ddd, eee, X[ 2], 15);
220    JJJ(eee, aaa, bbb, ccc, ddd, X[11], 15);
221    JJJ(ddd, eee, aaa, bbb, ccc, X[ 4],  5);
222    JJJ(ccc, ddd, eee, aaa, bbb, X[13],  7);
223    JJJ(bbb, ccc, ddd, eee, aaa, X[ 6],  7);
224    JJJ(aaa, bbb, ccc, ddd, eee, X[15],  8);
225    JJJ(eee, aaa, bbb, ccc, ddd, X[ 8], 11);
226    JJJ(ddd, eee, aaa, bbb, ccc, X[ 1], 14);
227    JJJ(ccc, ddd, eee, aaa, bbb, X[10], 14);
228    JJJ(bbb, ccc, ddd, eee, aaa, X[ 3], 12);
229    JJJ(aaa, bbb, ccc, ddd, eee, X[12],  6);
230 
231    /* parallel round 2 */
232    III(eee, aaa, bbb, ccc, ddd, X[ 6],  9);
233    III(ddd, eee, aaa, bbb, ccc, X[11], 13);
234    III(ccc, ddd, eee, aaa, bbb, X[ 3], 15);
235    III(bbb, ccc, ddd, eee, aaa, X[ 7],  7);
236    III(aaa, bbb, ccc, ddd, eee, X[ 0], 12);
237    III(eee, aaa, bbb, ccc, ddd, X[13],  8);
238    III(ddd, eee, aaa, bbb, ccc, X[ 5],  9);
239    III(ccc, ddd, eee, aaa, bbb, X[10], 11);
240    III(bbb, ccc, ddd, eee, aaa, X[14],  7);
241    III(aaa, bbb, ccc, ddd, eee, X[15],  7);
242    III(eee, aaa, bbb, ccc, ddd, X[ 8], 12);
243    III(ddd, eee, aaa, bbb, ccc, X[12],  7);
244    III(ccc, ddd, eee, aaa, bbb, X[ 4],  6);
245    III(bbb, ccc, ddd, eee, aaa, X[ 9], 15);
246    III(aaa, bbb, ccc, ddd, eee, X[ 1], 13);
247    III(eee, aaa, bbb, ccc, ddd, X[ 2], 11);
248 
249    /* parallel round 3 */
250    HHH(ddd, eee, aaa, bbb, ccc, X[15],  9);
251    HHH(ccc, ddd, eee, aaa, bbb, X[ 5],  7);
252    HHH(bbb, ccc, ddd, eee, aaa, X[ 1], 15);
253    HHH(aaa, bbb, ccc, ddd, eee, X[ 3], 11);
254    HHH(eee, aaa, bbb, ccc, ddd, X[ 7],  8);
255    HHH(ddd, eee, aaa, bbb, ccc, X[14],  6);
256    HHH(ccc, ddd, eee, aaa, bbb, X[ 6],  6);
257    HHH(bbb, ccc, ddd, eee, aaa, X[ 9], 14);
258    HHH(aaa, bbb, ccc, ddd, eee, X[11], 12);
259    HHH(eee, aaa, bbb, ccc, ddd, X[ 8], 13);
260    HHH(ddd, eee, aaa, bbb, ccc, X[12],  5);
261    HHH(ccc, ddd, eee, aaa, bbb, X[ 2], 14);
262    HHH(bbb, ccc, ddd, eee, aaa, X[10], 13);
263    HHH(aaa, bbb, ccc, ddd, eee, X[ 0], 13);
264    HHH(eee, aaa, bbb, ccc, ddd, X[ 4],  7);
265    HHH(ddd, eee, aaa, bbb, ccc, X[13],  5);
266 
267    /* parallel round 4 */
268    GGG(ccc, ddd, eee, aaa, bbb, X[ 8], 15);
269    GGG(bbb, ccc, ddd, eee, aaa, X[ 6],  5);
270    GGG(aaa, bbb, ccc, ddd, eee, X[ 4],  8);
271    GGG(eee, aaa, bbb, ccc, ddd, X[ 1], 11);
272    GGG(ddd, eee, aaa, bbb, ccc, X[ 3], 14);
273    GGG(ccc, ddd, eee, aaa, bbb, X[11], 14);
274    GGG(bbb, ccc, ddd, eee, aaa, X[15],  6);
275    GGG(aaa, bbb, ccc, ddd, eee, X[ 0], 14);
276    GGG(eee, aaa, bbb, ccc, ddd, X[ 5],  6);
277    GGG(ddd, eee, aaa, bbb, ccc, X[12],  9);
278    GGG(ccc, ddd, eee, aaa, bbb, X[ 2], 12);
279    GGG(bbb, ccc, ddd, eee, aaa, X[13],  9);
280    GGG(aaa, bbb, ccc, ddd, eee, X[ 9], 12);
281    GGG(eee, aaa, bbb, ccc, ddd, X[ 7],  5);
282    GGG(ddd, eee, aaa, bbb, ccc, X[10], 15);
283    GGG(ccc, ddd, eee, aaa, bbb, X[14],  8);
284 
285    /* parallel round 5 */
286    FFF(bbb, ccc, ddd, eee, aaa, X[12] ,  8);
287    FFF(aaa, bbb, ccc, ddd, eee, X[15] ,  5);
288    FFF(eee, aaa, bbb, ccc, ddd, X[10] , 12);
289    FFF(ddd, eee, aaa, bbb, ccc, X[ 4] ,  9);
290    FFF(ccc, ddd, eee, aaa, bbb, X[ 1] , 12);
291    FFF(bbb, ccc, ddd, eee, aaa, X[ 5] ,  5);
292    FFF(aaa, bbb, ccc, ddd, eee, X[ 8] , 14);
293    FFF(eee, aaa, bbb, ccc, ddd, X[ 7] ,  6);
294    FFF(ddd, eee, aaa, bbb, ccc, X[ 6] ,  8);
295    FFF(ccc, ddd, eee, aaa, bbb, X[ 2] , 13);
296    FFF(bbb, ccc, ddd, eee, aaa, X[13] ,  6);
297    FFF(aaa, bbb, ccc, ddd, eee, X[14] ,  5);
298    FFF(eee, aaa, bbb, ccc, ddd, X[ 0] , 15);
299    FFF(ddd, eee, aaa, bbb, ccc, X[ 3] , 13);
300    FFF(ccc, ddd, eee, aaa, bbb, X[ 9] , 11);
301    FFF(bbb, ccc, ddd, eee, aaa, X[11] , 11);
302 
303    /* combine results */
304    ddd += cc + md->rmd160.state[1];               /* final result for md->rmd160.state[0] */
305    md->rmd160.state[1] = md->rmd160.state[2] + dd + eee;
306    md->rmd160.state[2] = md->rmd160.state[3] + ee + aaa;
307    md->rmd160.state[3] = md->rmd160.state[4] + aa + bbb;
308    md->rmd160.state[4] = md->rmd160.state[0] + bb + ccc;
309    md->rmd160.state[0] = ddd;
310 
311    return CRYPT_OK;
312 }
313 
314 #ifdef LTC_CLEAN_STACK
315 static int rmd160_compress(hash_state *md, const unsigned char *buf)
316 {
317    int err;
318    err = _rmd160_compress(md, buf);
319    burn_stack(sizeof(ulong32) * 26 + sizeof(int));
320    return err;
321 }
322 #endif
323 
324 /**
325    Initialize the hash state
326    @param md   The hash state you wish to initialize
327    @return CRYPT_OK if successful
328 */
329 int rmd160_init(hash_state * md)
330 {
331    LTC_ARGCHK(md != NULL);
332    md->rmd160.state[0] = 0x67452301UL;
333    md->rmd160.state[1] = 0xefcdab89UL;
334    md->rmd160.state[2] = 0x98badcfeUL;
335    md->rmd160.state[3] = 0x10325476UL;
336    md->rmd160.state[4] = 0xc3d2e1f0UL;
337    md->rmd160.curlen   = 0;
338    md->rmd160.length   = 0;
339    return CRYPT_OK;
340 }
341 
342 /**
343    Process a block of memory though the hash
344    @param md     The hash state
345    @param in     The data to hash
346    @param inlen  The length of the data (octets)
347    @return CRYPT_OK if successful
348 */
349 HASH_PROCESS(rmd160_process, rmd160_compress, rmd160, 64)
350 
351 /**
352    Terminate the hash to get the digest
353    @param md  The hash state
354    @param out [out] The destination of the hash (20 bytes)
355    @return CRYPT_OK if successful
356 */
357 int rmd160_done(hash_state * md, unsigned char *out)
358 {
359     int i;
360 
361     LTC_ARGCHK(md  != NULL);
362     LTC_ARGCHK(out != NULL);
363 
364     if (md->rmd160.curlen >= sizeof(md->rmd160.buf)) {
365        return CRYPT_INVALID_ARG;
366     }
367 
368 
369     /* increase the length of the message */
370     md->rmd160.length += md->rmd160.curlen * 8;
371 
372     /* append the '1' bit */
373     md->rmd160.buf[md->rmd160.curlen++] = (unsigned char)0x80;
374 
375     /* if the length is currently above 56 bytes we append zeros
376      * then compress.  Then we can fall back to padding zeros and length
377      * encoding like normal.
378      */
379     if (md->rmd160.curlen > 56) {
380         while (md->rmd160.curlen < 64) {
381             md->rmd160.buf[md->rmd160.curlen++] = (unsigned char)0;
382         }
383         rmd160_compress(md, md->rmd160.buf);
384         md->rmd160.curlen = 0;
385     }
386 
387     /* pad upto 56 bytes of zeroes */
388     while (md->rmd160.curlen < 56) {
389         md->rmd160.buf[md->rmd160.curlen++] = (unsigned char)0;
390     }
391 
392     /* store length */
393     STORE64L(md->rmd160.length, md->rmd160.buf+56);
394     rmd160_compress(md, md->rmd160.buf);
395 
396     /* copy output */
397     for (i = 0; i < 5; i++) {
398         STORE32L(md->rmd160.state[i], out+(4*i));
399     }
400 #ifdef LTC_CLEAN_STACK
401     zeromem(md, sizeof(hash_state));
402 #endif
403     return CRYPT_OK;
404 }
405 
406 /**
407   Self-test the hash
408   @return CRYPT_OK if successful, CRYPT_NOP if self-tests have been disabled
409 */
410 int rmd160_test(void)
411 {
412 #ifndef LTC_TEST
413    return CRYPT_NOP;
414 #else
415    static const struct {
416         const char *msg;
417         unsigned char hash[20];
418    } tests[] = {
419    { "",
420      { 0x9c, 0x11, 0x85, 0xa5, 0xc5, 0xe9, 0xfc, 0x54, 0x61, 0x28,
421        0x08, 0x97, 0x7e, 0xe8, 0xf5, 0x48, 0xb2, 0x25, 0x8d, 0x31 }
422    },
423    { "a",
424      { 0x0b, 0xdc, 0x9d, 0x2d, 0x25, 0x6b, 0x3e, 0xe9, 0xda, 0xae,
425        0x34, 0x7b, 0xe6, 0xf4, 0xdc, 0x83, 0x5a, 0x46, 0x7f, 0xfe }
426    },
427    { "abc",
428      { 0x8e, 0xb2, 0x08, 0xf7, 0xe0, 0x5d, 0x98, 0x7a, 0x9b, 0x04,
429        0x4a, 0x8e, 0x98, 0xc6, 0xb0, 0x87, 0xf1, 0x5a, 0x0b, 0xfc }
430    },
431    { "message digest",
432      { 0x5d, 0x06, 0x89, 0xef, 0x49, 0xd2, 0xfa, 0xe5, 0x72, 0xb8,
433        0x81, 0xb1, 0x23, 0xa8, 0x5f, 0xfa, 0x21, 0x59, 0x5f, 0x36 }
434    },
435    { "abcdefghijklmnopqrstuvwxyz",
436      { 0xf7, 0x1c, 0x27, 0x10, 0x9c, 0x69, 0x2c, 0x1b, 0x56, 0xbb,
437        0xdc, 0xeb, 0x5b, 0x9d, 0x28, 0x65, 0xb3, 0x70, 0x8d, 0xbc }
438    },
439    { "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
440      { 0x12, 0xa0, 0x53, 0x38, 0x4a, 0x9c, 0x0c, 0x88, 0xe4, 0x05,
441        0xa0, 0x6c, 0x27, 0xdc, 0xf4, 0x9a, 0xda, 0x62, 0xeb, 0x2b }
442    }
443    };
444 
445    int i;
446    unsigned char tmp[20];
447    hash_state md;
448 
449    for (i = 0; i < (int)(sizeof(tests)/sizeof(tests[0])); i++) {
450        rmd160_init(&md);
451        rmd160_process(&md, (unsigned char *)tests[i].msg, strlen(tests[i].msg));
452        rmd160_done(&md, tmp);
453        if (compare_testvector(tmp, sizeof(tmp), tests[i].hash, sizeof(tests[i].hash), "RIPEMD160", i)) {
454           return CRYPT_FAIL_TESTVECTOR;
455        }
456    }
457    return CRYPT_OK;
458 #endif
459 }
460 
461 #endif
462 
463 
464 /* ref:         $Format:%D$ */
465 /* git commit:  $Format:%H$ */
466 /* commit time: $Format:%ai$ */
467